I’ve never been a security guy…now that that’s out of the way
I have a couple of standalone apps I have written that use REST calls to Epicor and are using “Basic Authentication” meaning I have to pass username and login on every call, which seems to work fine but feels clunky to me.
I’ve seen other posts that talk about different types of authentication when using the REST api, but it’s not clear what option I should use if we are Saas hosted.
Do I just use the “Azure Active Directory Authentication” ?
Described around page 78 of this document: Sign In
You only need to use basic auth on your call to the token service (which shouldn’t be exposed publicly). From that point on, use the token service to generate bearer tokens for continued authorization.
Since he is SaaS, it would be exposed publicly. He can still use the Token Service but authenticate using Epicor IdP or Entra ID - the artist formerly known as Azure Active Directory. This would give them MFA as well as other goodies not available with phishing-prone usernames and passwords.
a little stuck obtaining the token, getting this error:
(code from the rest services documentation obtaining a token)
Type or Namespace TokenObject could not be found
A quick search online did not help
( @Mark_Wonsil I will try to explore Epicor IdP or Entra ID next, but I thought this was a good step for my security understanding, as I mentioned I’m no security guy)
